The data that Google collects from its users has been a hot topic for several years now but a recently reported research paper could spur further questions, particularly with regard to messages and phone calls. According to the paper, led by computer science professor Douglas Leith at the Trinity College Dublin, the company could be breaching European GDPR regulations. Specifically, by sending user data from its Messages and Dialer/Phone apps to its servers.
What did the research paper find about data in Google Messages and apps for calls?
The data Google collects is, according to Mr. Leith, taken from the messages and calls for a specific purpose. Namely, to assist in protective features. Such as filtering spam, showing business caller IDs, and other related features. Moreover, the data is sent via a SHA256 — a 128-bit hash value is sent to its servers. So it is effectively encrypted.
However, in principle, according to Mr. Leith, it is possible for short texts to be read following a reverse of the hash. Although that hasn’t happened yet. The company also shares the hash with its Google Play Services Clearcut logger service and Firebase Analytics to link the message sender, receiver, and devices. But the problem isn’t necessarily with the way the data is transferred or stored.
The specific data that are taken and the lack of privacy policies outlining the data collection appear to be at the root of the potential problem. According to Mr. Leith, the collection centers around a myriad of details. Including timestamps, phone numbers, incoming or outgoing logs, call duration, and length of messages.
Conversely, Google apps don’t have privacy policies to explain any of that. Despite that third-party apps on the Google Play Store do. And users don’t necessarily have access to that information either. Since the details don’t appear even when users access a service such as Google Takeout to export the data associated with their account. Google Play Services does inform users that some data is collected for security and fraud prevention, but there’s no explanation on why exactly message content and call info are collected.
Some of these issues have already been addressed
Now, Mr. Leith reportedly reached out to Google about the issues described in the research paper late last year and it has already begun to make some changes in conjunction with his recommendations. The search giant has also laid out more clearly how it uses the data that it collects from messages and calls.
For example, the company says that the message hash is collected for detecting bugs affecting the “sequencing” of messaging. And that phone numbers are collected to improve “pattern matching for automatic recognition of one-time passwords” sent via RCS. Moreover, according to Google, the ICCID data brought up in the report is used exclusively to “support” Google Fi.
Finally, it says that Firebase Analytics’ logging of events doesn’t include phone numbers. And that it’s used to measure whether downloaded apps are used once downloaded. Summarily, to measure app download promotions and their effectiveness.
However, not every point has been addressed as of this writing. And it remains to be seen whether any regulatory bodies decide to investigate the collections further, as has happened in the past.